CVE-2025-55210 (GCVE-0-2025-55210)
Vulnerability from cvelistv5
Published
2026-02-12 16:22
Modified
2026-02-26 14:44
Severity ?
2.0 (Low) - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
CWE
  • CWE-270 - Privilege Context Switching Error
Summary
FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to 17.0.5 and 16.0.17, FreePBX module api (PBX API) is vulnerable to privilege escalation by authenticated users with REST/GraphQL API access. This vulnerability allows an attacker to forge a valid JWT with full access to the REST and GraphQL APIs on a FreePBX that they've already connected to, possibly as a lower privileged user. The JWT is signed using the api-oauth.key private key. An attacker can generate their own token if they possess this key (e.g., by accessing an affected instance), and specify any scopes they wish (e.g., rest, gql), bypassing traditional authorization checks. However, FreePBX enforces that the jti (JWT ID) claim must exist in the database (api_access_tokens table in the asterisk MySQL database) in order for the token to be accepted. Therefore, the attacker must know a jti value that already exists on the target instance. This vulnerability is fixed in 17.0.5 and 16.0.17.
References
Impacted products
Vendor Product Version
FreePBX api Version: >= 15.0.1alpha1, < 16.0.17
Version: >= 17.0.0, < 17.0.5
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-55210",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-13T04:56:39.406147Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T14:44:21.186Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "api",
          "vendor": "FreePBX",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 15.0.1alpha1, \u003c 16.0.17"
            },
            {
              "status": "affected",
              "version": "\u003e= 17.0.0, \u003c 17.0.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to 17.0.5 and 16.0.17, FreePBX module api (PBX API) is vulnerable to privilege escalation by authenticated users with REST/GraphQL API access. This vulnerability allows an attacker to forge a valid JWT with full access to the REST and GraphQL APIs on a FreePBX that they\u0027ve already connected to, possibly as a lower privileged user. The JWT is signed using the api-oauth.key private key. An attacker can generate their own token if they possess this key (e.g., by accessing an affected instance), and specify any scopes they wish (e.g., rest, gql), bypassing traditional authorization checks. However, FreePBX enforces that the jti (JWT ID) claim must exist in the database (api_access_tokens table in the asterisk MySQL database) in order for the token to be accepted. Therefore, the attacker must know a jti value that already exists on the target instance. This vulnerability is fixed in 17.0.5 and 16.0.17."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2,
            "baseSeverity": "LOW",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-270",
              "description": "CWE-270: Privilege Context Switching Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-12T16:22:42.967Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-gvgh-p7wj-76cf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-gvgh-p7wj-76cf"
        },
        {
          "name": "https://github.com/FreePBX/api/commit/bc6f7d72063cffb18babb6559fa351046d7ad19b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FreePBX/api/commit/bc6f7d72063cffb18babb6559fa351046d7ad19b"
        },
        {
          "name": "https://github.com/FreePBX/api/commit/c16a3a79b83382fb4884e51174882ed635637002",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FreePBX/api/commit/c16a3a79b83382fb4884e51174882ed635637002"
        },
        {
          "name": "https://github.com/FreePBX/api/commit/d66786634e7e7d3eedcb4d0931b32c415ba6e9ef",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FreePBX/api/commit/d66786634e7e7d3eedcb4d0931b32c415ba6e9ef"
        }
      ],
      "source": {
        "advisory": "GHSA-gvgh-p7wj-76cf",
        "discovery": "UNKNOWN"
      },
      "title": "FreePBX API has a Privilege Escalation Error in GraphQL Allowing Authenticated Users to Access Additional Scopes"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-55210",
    "datePublished": "2026-02-12T16:22:42.967Z",
    "dateReserved": "2025-08-08T21:55:07.966Z",
    "dateUpdated": "2026-02-26T14:44:21.186Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-55210\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-13T04:56:39.406147Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-12T16:40:21.586Z\"}}], \"cna\": {\"title\": \"FreePBX API has a Privilege Escalation Error in GraphQL Allowing Authenticated Users to Access Additional Scopes\", \"source\": {\"advisory\": \"GHSA-gvgh-p7wj-76cf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"FreePBX\", \"product\": \"api\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 15.0.1alpha1, \u003c 16.0.17\"}, {\"status\": \"affected\", \"version\": \"\u003e= 17.0.0, \u003c 17.0.5\"}]}], \"references\": [{\"url\": \"https://github.com/FreePBX/security-reporting/security/advisories/GHSA-gvgh-p7wj-76cf\", \"name\": \"https://github.com/FreePBX/security-reporting/security/advisories/GHSA-gvgh-p7wj-76cf\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/FreePBX/api/commit/bc6f7d72063cffb18babb6559fa351046d7ad19b\", \"name\": \"https://github.com/FreePBX/api/commit/bc6f7d72063cffb18babb6559fa351046d7ad19b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/FreePBX/api/commit/c16a3a79b83382fb4884e51174882ed635637002\", \"name\": \"https://github.com/FreePBX/api/commit/c16a3a79b83382fb4884e51174882ed635637002\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/FreePBX/api/commit/d66786634e7e7d3eedcb4d0931b32c415ba6e9ef\", \"name\": \"https://github.com/FreePBX/api/commit/d66786634e7e7d3eedcb4d0931b32c415ba6e9ef\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to 17.0.5 and 16.0.17, FreePBX module api (PBX API) is vulnerable to privilege escalation by authenticated users with REST/GraphQL API access. This vulnerability allows an attacker to forge a valid JWT with full access to the REST and GraphQL APIs on a FreePBX that they\u0027ve already connected to, possibly as a lower privileged user. The JWT is signed using the api-oauth.key private key. An attacker can generate their own token if they possess this key (e.g., by accessing an affected instance), and specify any scopes they wish (e.g., rest, gql), bypassing traditional authorization checks. However, FreePBX enforces that the jti (JWT ID) claim must exist in the database (api_access_tokens table in the asterisk MySQL database) in order for the token to be accepted. Therefore, the attacker must know a jti value that already exists on the target instance. This vulnerability is fixed in 17.0.5 and 16.0.17.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-270\", \"description\": \"CWE-270: Privilege Context Switching Error\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-12T16:22:42.967Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-55210\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-26T14:44:21.186Z\", \"dateReserved\": \"2025-08-08T21:55:07.966Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-12T16:22:42.967Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.